P
US10778668B2ActiveUtilityPatentIndex 69

HTTP session validation module

Assignee: DELL PRODUCTS LPPriority: Jun 2, 2017Filed: Jun 2, 2017Granted: Sep 15, 2020
Est. expiryJun 2, 2037(~10.9 yrs left)· nominal 20-yr term from priority
Inventors:BHATTACHARYA ABHIJEETARAKKAL RAJEEV
H04L 63/1483H04L 63/0245H04L 67/141H04L 67/146H04L 63/062H04L 67/02H04L 63/083H04L 63/168H04L 63/10H04L 63/12H04L 65/1069
69
PatentIndex Score
5
Cited by
23
References
20
Claims

Abstract

A web server receives a packet including a web request from a browser of a client. The request includes a session cookie comprising a client token and a session identifier. A secret session token is calculated based on the session identifier and header data that includes data from one or more packet header fields. The web request is processed if the secret session token matches the client token and blocked otherwise. Determining the secret session token may include hashing the session identifier, at least a portion of a user agent string included in a user agent header of the web request, and at least a portion of a source IP address included in an IP header of the packet. The secret session token may have been provided to the client as a session cookie included in a response to an initial web request from the client.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A web server, comprising:
 a processor; 
 a network interface to couple the web server to a network; and 
 a computer readable medium including processor executable instructions that, when executed by the processor, result in operations comprising:
 receiving a pre-session request from a web client; 
 extracting, from the pre-session request, one or more data items indicative of a source of the pre-session request; 
 generating a session identifier corresponding to the pre-session request; 
 generating a secret session token based on the one or more data items and the session identifier; 
 sending a response to the pre-session request, wherein the response includes a tokenized session identifier indicative of the session identifier and the secret session token; wherein the tokenized session identifier comprises a concatenation, wherein the concatenation comprises the session identifier concatenated with and the secret session token; 
 responsive to receiving an in-session request from the web client, performing a verification of a client token, included with the in-session request, against the secret session token; 
 responsive to verifying the client token, processing the in-session request; and 
 responsive to not verifying the client token, blocking the in-session request. 
 
 
     
     
       2. The web server of  claim 1 , wherein the client token included in the in-session request is included in a session cookie included with the in-session request. 
     
     
       3. The web server of  claim 1 , further comprising:
 determining, based on a presence or an absence of a session identifier within a particular request, whether the particular request comprises a pre-session request. 
 
     
     
       4. The web server of  claim 1 , wherein the pre-session request comprises a hypertext transfer protocol (HTTP) request and further wherein the pre-session request comprises an HTTP GET request. 
     
     
       5. The web server of  claim 4 , wherein extracting the one or more data items comprises, extracting a first data item indicative of a client browser corresponding to the pre-session request. 
     
     
       6. The web server of  claim 5 , wherein the first data item comprises user agent data included in a header of the pre-session request. 
     
     
       7. The web server of  claim 6 , wherein extracting the one or more data items comprises, extracting a second data item, indicative of a network address, corresponding to the pre-session request. 
     
     
       8. The web server of  claim 7 , wherein the second data item comprises a network portion of a source IP address of the pre-session request, wherein the network portion of the source IP address comprises a portion of the IP address that does not vary among requests within a particular session. 
     
     
       9. The web server of  claim 8 , wherein generating the secret session token includes performing a hash of:
 the network portion of the source IP address; 
 the user agent data; and 
 the session identifier. 
 
     
     
       10. A web server method, comprising:
 receiving a pre-session request from a web client; 
 extracting from the pre-session request one or more data items indicative of a source of the pre-session request; 
 generating a session identifier corresponding to the pre-session request; 
 generating a secret session token based on the one or more data items and the session identifier; 
 sending a response to the pre-session request, wherein the response includes a tokenized session identifier indicative of the session identifier and the secret session token, wherein the tokenized session identifier comprises a concatenation, wherein the concatenation comprises the session identifier concatenated with the secret session token; 
 responsive to receiving an in-session request from the web client, performing a verification of a client token, included with the in-session request, against the secret session identifier; 
 responsive to verifying the client token, processing the in-session request; and 
 responsive to not verifying the client token, blocking the in-session request. 
 
     
     
       11. The web server method of  claim 10 , wherein the client token included in the in-session request is included in a session cookie included with the in-session request. 
     
     
       12. The web server method of  claim 10 , further comprising:
 determining, based on a presence or absence of a session identifier within a particular web request, whether the particular web request comprises a pre-session request. 
 
     
     
       13. The web server method of  claim 10 , wherein the pre-session request comprises a hypertext transfer protocol (HTTP) request and further wherein the pre-session request comprises an HTTP GET request. 
     
     
       14. The web server method of  claim 13 , wherein extracting the one or more data items comprises, extracting a first data item indicative of a client browser corresponding to the pre-session request. 
     
     
       15. The web server method of  claim 14 , wherein the first data item comprises user agent data included in a header of the pre-session request. 
     
     
       16. The web server method of  claim 15 , wherein extracting the one or more data items comprises, extracting a second data item, indicative of a network address, corresponding to the pre-session request. 
     
     
       17. The web server method of  claim 16 , wherein the second data item comprises a network portion of a source IP address of the pre-session request, wherein the network portion of the source IP address comprises a portion of the source IP address that does not vary among requests within a particular session, wherein the portion of the source IP address that does not vary among requests within the particular session comprises a most significant 16 bits of a 32-bit IP address. 
     
     
       18. The web server method of  claim 17 , wherein generating the secret session token includes performing a hash of:
 the network portion of the source IP address; 
 the user agent data; and 
 the session identifier. 
 
     
     
       19. An information handling system, comprising:
 a processor; 
 a network interface, configured to communicatively couple the processor to a network; and 
 a computer readable medium including processor executable instructions that, when executed, cause the processor to perform operations comprising: 
 receiving a packet comprising a web request from a web client, wherein the web request includes a tokenized session identifier, wherein the tokenized session identifier comprises a concatenation of a client token and a session identifier; 
 determining, based on the session identifier and header data comprising data from one or more header fields of the packet, a secret session token for the web request; 
 determining whether the secret session token for the web request matches the client token; 
 processing the web request responsive to the secret session token matching the client token; and 
 blocking the web request responsive to the secret session token not matching the client token. 
 
     
     
       20. The information handling system of  claim 19 , wherein said determining comprises:
 hashing a combination of: 
 the session identifier; 
 at least a portion of a user agent string included in a user agent header of the web request; and 
 a network portion of a source IP address included in an IP header of the packet.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.